Zerocash - Decentralized Anonymous Payments from Bitcoin

TUESDAY, JANUARY 26, 2021 •

The goal of Bitcoin is to develop a cryptocurrency that is truly anonymous. The authors begin the paper by explaining the difference between “pseudonymous” and “anonymous” cryptocurrency. The authors describe how Bitcoin is more pseudonymous, in the sense that while identities on the Bitcoin network do not use your real, legal name or actual personal information, there is still a digital moniker associated with you. On the other hand, truly anonymous systems ensure that there is no identifying information at all, and that any particular action cannot be associated with or retraced to any specific individual. In Bitcoin, transactions are packages that incorporate an address’s public key value; therefore, any observer can determine which addresses are associated with which PK. ZeroCash introduces a transaction scheme that uses random strings to represent a user’s identity, then through a series of innovations, namely methods based on zero knowledge proofs, the ZCash platform can process transactions without conveying any information about the parties involved.

The main contribution of this paper is the zero knowledge proof. The definition is a method where one party (prover) can prove to another (verifier) that a given statement is true without having to disseminate any information apart from the fact that the statement is true. A simple example of such a proof involves using a “randomness” key that can be used to demonstrate that the hashed value is true; however, there’s nothing that the verifier can learn about the provider simply from the provider’s key. ZCash applies this technique to the cryptocurrency domain. There are several parts of the original cryptocurrency architecture that are reinvented. Instead of simply publishing a public key, a secret address is also used for redeeming coins sent to the public key. Merkle Trees in combination with Zero Knowledge Proofs are used to mint coins anonymously. The transaction verification process now involves taking a sum of the previous coin values and the public key. Distributing values effectively become important to ensure the user can find and decrypt a message by scanning pour transactions on a public ledger. The authors also demonstrate protections against popular cryptocurrency vulnerabilities and exploits such as double spend attacks. ZeroCash ultimately offers a platform with ledger indistinguishability and transaction non-malleability.

I think there are a couple zero knowledge proof related algorithms beyond what is used in this paper. A small section of evaluation to explain whether other algorithms were vetted and why certain ones were chosen would be helpful to understand any functional discrepancies. I’d be interested in the performance and security comparisons of such algorithms (there may be a related works paper I overlooked). I think there are also some challenges ZCash might have to overcome to become ready for practical use. For instance, to fully integrate with Bitcoin, a public trusted party and dropping the double spend prevention would be necessary. Tor is proposed for IP level anonymity. I’m not sure whether it’s for integrating with existing ledger-based currency, or if it’s required for any Zerocash system to ensure anonymity. Last but not least, I feel like since the experiments in section 7 are using a Bitcoin network, I’d be more interested in a simulation that only uses a ZeroCash network.

I think the possible directions for ZeroCash would primarily be in two directions. There could be more work done to reduce the storage and performance overhead that come with the new security designs, or improvements to the ZeroCash design itself. For instance, some performance updates could be made by batching updates to Merkle Trees. The authors discuss in the extended paper two more ideas of faster block propagation and extending everlasting anonymity. I think more evaluation on ZeroCash specifically, instead of a Bitcoin hybrid, would be very interesting. The performance results seem promising, but it could be worth looking into whether using different Zero Knowledge Proof methods might lead to faster run times or lower storage overhead.